Confronting the Cybersecurity Challenge
Security systems integrators, technical and legal experts define cybersecurity challenges, discuss solutions and outline opportunities.
DAVID WILLSON: From a more practical perspective, everything is so interconnected now with technology that you can’t ignore the cybersecurity piece. You can’t assume you’re separate and disconnected from everything else, which goes to one of Bill’s points. Your liability is going to be huge if there is a breach and you are in any way connected to a client’s network. They’re going to look to you for some of that liability responsibility. Like, obviously, with the Target hack and their HVAC company that was connected to their network.
WASHINGTON: One of the things currently available to the market is that most organizations are doing self-certifying, that their products meet various federal standards.
The migration of self-certifying is going to now start being written into contact language that is going to put liability and obligations on the integrator and installer to verify and have third-party verification that their security products that are being connected to IP networks meet minimum controls and standards.
It won’t be an elective or self-certification, but will be a verification process.
Are we seeing the beginning of recognition and change in terms of the concern about cybersecurity in the physical realm? What is the mentality or atmosphere out there right now?
PAUL THOMAS: We deal with very large enterprise customers and most of the security departments we work for report up through IT, and that’s changed over the past two years. Now we’re actually seeing lots of contract language that’s coming back, putting that onus on us. I’m not sure in the industry it’s widely accepted yet. I think it’s in its infancy as far as the industry paying attention to it.
We’re seeing a lot of pushback from our customers that are forcing us to go back to the manufacturers, and the manufacturers are throwing their hands up in the air saying they can’t really respond to what the customers are asking right now.
WASHINGTON: The tolerance or pain
points within smaller [end-user] companies is that at one time they used to believe cyber-attacks were only for people who had something to hide, such as the financial industry and national defense and intelligence organizations. Now they’ve found everyone is a target. Whether it’s identity theft or creating system-wide destruction to affect critical infrastructure, all bets are off for the hackers. They’re running script against every subnet and every industry, and whatever they can find to exploit they will install malware to make you part of a larger potential type of security threat.
The other piece we’re seeing is nations using IP and cybersecurity as an offensive military weapon; they’re going after everyone who is a potential target. Now that we’re actually at the level of cyberwar, we need to provide down to the weakest link in the chain to be able to ensure they can’t be a threat vector or attack vector for additional cybersecurity exploits.
BOZEMAN: You didn’t ask if the smart guys in the industry get it, which they do. You asked if the industry in general gets it, and the answer is no. That’s the bad news. The good news is they are concerned and aware. They throw their hands up and say, “What do I do? Am I going to be held liable? How much is it going to cost me to get into compliance?” But they also ask, “Is there a chance for me to make any money doing this?” They’re really at stage one.
I don’t think integrators this time are going to get the luxury they had for switching from analog to digital. I don’t think they can get around to it when they feel like it, two, three, four, five years. They’re going to get their butts kicked if they don’t get on the boat quickly. That goes for manufacturers as well.
WILLSON: Even with the smart guys who say they get it, the problem I’m seeing is people are associating cyber with computers. It goes right to the IT department. From my perspective, the IT guy is not the cybersecurity guy. They may have been forced to do that or had to learn on the job, but their focus is uptime and keeping the network running, not necessarily protecting it. So CEOs are basically saying cybersecurity is an IT problem, send it to those guys. They’re sort of pushing it off on someone else. They’re not taking it seriously, and it really is a risk-management issue, not just a technical issue. They have to be looking at the whole organization, how the information is flowing, how those connections they’re creating are creating new vulnerabilities, and how they’re going to address those and the liability it may place back on them.
LANNING: It’s been reported that only 30% of IT pros have any hands-on experience with cybersecurity work in their shop. If their industry is that thin on cybersecurity, you can imagine where our guys are. We’re down in the single digits, if not 1% or something, with any hands-on work, any kind of threat evaluation, any kind of vulnerability assessment or any kind of monitoring of our clients’ systems. The hardware manufacturers have a big problem with putting a big reset button on that device they’re hanging outside of peoples’ buildings.
WILLSON: The other thing we have to make sure with manufacturers and integrators is they don’t get caught into the trap a lot of companies are, in thinking there’s a silver bullet for security. If I use this managed service or this piece of hardware, or this piece of software I’m secure and I can forget about it. It’s a process. There’s no silver bullet. Unfortunately, companies are getting inundated with vendors who are saying, “Buy our product, we will make you secure,” and it’s not realistic.
WASHINGTON: There is no silver bullet, but there are appropriate levels of cyber hygiene. When we discuss the process of cyber hygiene, it goes back to the main fundamental areas that a systems integrator might be asked: Do you have an IP security policy that you as a systems integrator follows? That’s step one. Step two is do they have a systems security plan that they use to protect their information and their data, and if they do would they be willing to submit it for scrutiny and review by someone who was qualified to look at it, to see if they pass muster? Those are the two basic things, similar to if someone was coming in from a country that might require quarantine.
Security Is Our Business, Too
For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.
A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!